Your router/switch may be less secure than you think

Wed Aug 3 13:10:10 UTC 2005

Michael Lynn is not the only person out there reverse engineering 
routers, switches, printers and other embedded systems. Lynn's 
presentation gave far less info than other people have published.
One person has published detailed instructions on how to exploit
IOS including code to do the exploit and an example scenario
of how to use it.

Contrary to what some may be worrying about, it it not the GSRs
that are most at risk. It is those old 2500's that are connected to
your customers. Imagine that one of those customer routers is
exploited, the hacker installs a tunnel, and then proceeds to 
anonymously probe the customer's network. This is the real risk
and it may very well be happening right now to one of your customers.

The following is one of the slides from a black hat presentation
which is basically a primer on reverse engineering and
exploiting embedded systems.

--------8X----------------------
How to protect
Cisco specific

! Have no overflows in IOS
! Keep your IOS up to date
! Do not run unneeded services (TFTP)
! Tell your IDS about it. Signature:
\xFD\x01\x10\xDF\xAB\x12\x34\xCD
! debug sanity might stop less
experienced attackers
! The hard way: config-register 0x00
! Perform logging on a separate segment
! Protect your syslog host

---------8X-----------------------

Other slides in the presentation talk about exploits in networked
HP printers and various other brands of switches and routers.
I think this should serve as a wakeup call to the entire industry that
current engineering practices are not good enough any more. 
We should all be looking to the security auditing work done by
the OpenBSD team for an example of how systems can be 
cleaned up, fixed, and locked down if there is a will to do so.

--Michael Dillon